Nginx Question posted in
The official documentation can be found here.

Nginx-1.19.6 + Openssl 1.1.1i – Can't do SSL handshake

i’m trying to run a server using Nginx with sslv3 and ciphers RC4-SHA:RC4-MD5 support (i need exactly these ciphers).
I was able to do this on Ubuntu 16.04 using Openssl 1.0.2u source + last nginx version source (nginx-1.19.6). I builded Nginx using this command:

./configure --with-http_ssl_module --with-openssl=/path/to/openssl-1.0.2u --with-openssl-opt=enable-ssl3 --with-openssl-opt=enable-ssl3-method --with-openssl-opt=enable-weak-ssl-ciphers

Nginx config i used is:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    ssl_protocols SSLv3;
    ssl_ciphers RC4-SHA:RC4-MD5:@SECLEVEL=0;
    ssl_certificate /path/to/server-chain.crt;
    ssl_certificate_key /path/to/server.key;
    server_name server.name.net;
    underscores_in_headers on;
    proxy_pass_request_headers on;
    location / {    
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:9000;
    }
}

After setting up nginx config file everything worked perfectly. I was able to obtain the ssl certificate using this command from an Ubuntu 14.04 machine:

openssl s_client -connect MyIP:443 -ssl3 -cipher RC4-SHA:RC4-MD5.

I tryed to do the same thing building Nginx with Openssl 1.1.1i source with the same configuration options, but after setting up nginx conf file, when i try to run openssl s_client -connect... command, i get this error:

CONNECTED(00000003)
140420793624224:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1612540521
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

In Nginx error.log file i got this:

SSL_do_handshake() failed (SSL: error:141FC044:SSL routines:tls_setup_handshake:internal error) while SSL handshaking, client: 192.168.1.10, server: 0.0.0.0:443

Did something change with openssl 1.1.1? Am i missing any configuration options to enable SSLv3 + RC4-SHA:RC4-MD5?
Thanks for any tips!

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    In the end i was able to fix this!

    I downloaded the last openssl source (1.1.1i) and the last nginx source (1.19.6). I compiled and installed openssl with the following commands:

    ./config enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers
make
sudo make install

    I edited openssl.cnf file (/usr/local/ssl/openssl.cnf) adding

    openssl_conf = default_conf

    at the beginning of the file and adding

    [default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = ALL:@SECLEVEL=0

    at the bottom of the file. This enables old ciphers (i needed RC4-SHA and RC4-MD5). Then i compiled and installed nginx with the following commands:

    ./configure --with-http_ssl_module --with-ld-opt="-L/usr/local"
make
sudo make install

    After configuring nginx for ssl certificates i was able to get them using the openssl s_client... command!


  2. 0

    SSL Ciphers in nginx need to be supported by your openSSL Version. From the openSSL Changelog of 1.0.2h and 1.1.0:

    RC4 based libssl ciphersuites are now classed as "weak" ciphers and are disabled by default. They can be re-enabled using the enable-weak-ssl-ciphers option to Configure.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search